b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n           CONTROLS OVER\n       SINGLE PAYMENT SYSTEM\n              PAYMENTS\n\n    September 2010   A-02-09-29123\n\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n   \xef\x82\xa6 Conduct and supervise independent and objective audits and\n       investigations relating to agency programs and operations.\n   \xef\x82\xa6   Promote economy, effectiveness, and efficiency within the agency.\n   \xef\x82\xa6   Prevent and detect fraud, waste, and abuse in agency programs and\n       operations.\n   \xef\x82\xa6   Review and make recommendations regarding existing and proposed\n       legislation and regulations relating to agency programs and operations.\n   \xef\x82\xa6   Keep the agency head and the Congress fully and currently informed of\n       problems in agency programs and operations.\n\n   To ensure objectivity, the IG Act empowers the IG with:\n\n   \xef\x82\xa6 Independence to determine what reviews to perform.\n   \xef\x82\xa6 Access to all information necessary for the reviews.\n   \xef\x82\xa6 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                              SOCIAL SECURITY\nMEMORANDUM\n\nDate:      September 30, 2010                                                              Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   Controls over Single Payment System Payments (A-02-09-29123)\n\n\n           OBJECTIVE\n           Our objective was to determine the effectiveness of controls over the release of Single\n           Payment System (SPS) payments.\n\n           BACKGROUND\n           The Social Security Administration (SSA) administers the Old-Age, Survivors and\n           Disability Insurance program under Title II of the Social Security Act. 1 Before May\n           2002, SSA was unable to make certain Title II payments through its automated\n           systems. For example, SSA used a manual payment process to make appointed\n           representative fee payments, death underpayments to non-beneficiaries, and reissued\n           Lump-Sum Death payments. In May 2002, SSA created SPS to replace the manual\n           payment process.\n\n           SPS requires that employees enter their personal identification number (PIN) to approve\n           a payment. SPS payments above certain dollar amounts require expert or manager\n           approval before issuance. In these situations, more than one employee PIN must be\n           used to approve a payment in SPS. Payments up to $6,000 only require the originator\xe2\x80\x99s\n           PIN for processing. SPS payments over $6,000 to $49,999 require two unique PINs\n           before releasing them\xe2\x80\x94the originator\xe2\x80\x99s PIN and a technical expert or team leader\xe2\x80\x99s\n           PIN. 2 SPS payments of $50,000 or more require three PINs\xe2\x80\x94the originator\xe2\x80\x99s PIN, the\n           expert or team leader\xe2\x80\x99s PIN, and a manager\xe2\x80\x99s PIN. SPS can only process payments\n           below $100,000; payments of $100,000 or more to one individual are divided into two or\n           more payments for processing so payments are under $100,000.\n\n\n\n\n           1\n               The Social Security Act \xc2\xa7 202, 42 U.S.C. \xc2\xa7 402 (2009).\n           2\n               Before June 22, 2009, the SPS threshold for the 2-PIN process was $5,300.\n\x0cPage 2 - The Commissioner\n\n\nSSA\xe2\x80\x99s Top Secret System controls and monitors who can access and change critical\ndata in SSA\xe2\x80\x99s systems, including SPS. The Top Secret System protects against\naccidental or intentional corruption, destruction, disclosure, or denial of access to data\nby individually tracking an employee\xe2\x80\x99s access to SSA\xe2\x80\x99s systems. It also stores the\nemployee\xe2\x80\x99s name, PIN, and position information.\n\nSSA\xe2\x80\x99s Audit Trail System (ATS) collects and maintains electronic transactions entered\ninto the Agency\xe2\x80\x99s programmatic systems 3 including SPS payment transactions. ATS\ncontains the daily collection of data each time an employee performs an auditable task\nor transaction and stores it in a record specific to that individual. ATS collects employee\nPIN data, Social Security numbers, and Title II benefit or income data.\n\nDuring a meeting with staff in SSA\xe2\x80\x99s New York Region, a case was discussed where\nSPS released a payment with the same PIN accepted more than once in a situation\nwhere three unique PINs should have been required. We initiated this audit to\ndetermine the extent of such cases and identify the weakness in SPS controls that\nallowed release of the payment without the required number of unique PINs.\n\nTo meet our objective, we performed data analysis of the over 2.5 million payments\nprocessed through SPS from May 2002 through February 2010. Our analysis identified\n867 SPS payments in which the first PIN appeared to match either the second or third\nPIN recorded. From this population, we identified the payments actually released\nwithout proper PIN approval. Additionally, we reviewed a sample of 264 SPS payments\nrequiring two or three PINs for approval to determine the appropriateness of the\npayments as well as whether the individual approving the payments was authorized to\ndo so. See Appendix B for details of our scope and methodology.\n\nRESULTS OF REVIEW\nThe controls over the release of SPS payments were generally effective, though some\nimprovements were needed. We did not identify any improper payments in our sample;\nhowever, SSA released eight SPS payments of $50,000 or more, totaling $474,935,\nwithout approval by three unique PINs.\n\nSPS PAYMENTS OF $50,000 OR MORE\n\nWhile SSA processed all SPS payments under $50,000 with two required unique PINs,\nit released eight SPS payments of $50,000 or more without the required three unique\nPINs. SPS processed one payment even though the second PIN matched the final PIN.\nSSA informed us that SPS programming logic, which had been changed since the date\nof the payment we identified, did not allow the second and final PINs to match. SPS\nprocessed the other seven payments even though the third PIN was the same as the\nfirst PIN.\n\n\n3\n    SSA programmatic systems include Title II Claims Processing Systems.\n\x0cPage 3 - The Commissioner\n\n\nIn all eight payments, there were intervening actions between when the payment was\nentered and when it was approved. Per SSA staff, three unique PINs must approve\nSPS payments of $50,000 or more after payment data are changed or payments are\ndisapproved. In these cases, the disapprovals and/or changes to the record occurred\nbefore SSA released the payments. SPS read the PIN that originally established the\npayment as the first PIN and then released the payment based on the presence of two\nadditional unique PINs, despite the disapprovals or changes that occurred between the\nfirst PIN and the other two PINs.\n\nFor example, SSA released a $60,848 payment approved by only two unique PINs in\nJuly 2008. An SSA employee initially established the payment in SPS on April 1, 2008.\nSSA staff disapproved the payment a number of times. On July 2, 2008, an SSA\nemployee disapproved the payment and then, after further review, approved the\npayment\xe2\x80\x94becoming the originating PIN for the payment. Another employee provided\nthe second PIN. Once the second PIN was added, the same employee who provided\nthe originating PIN provided the third PIN needed to release the payment.\n\nIn the above example, the employee who served as the first and third PINs could alter\nthe payment amount, direct deposit information, and/or address information to reroute\nthe payment when he or she approved the payment as the first PIN. Once this\nemployee approved the $60,848 payment, SSA\xe2\x80\x99s policies and procedures required that\ntwo other employees approve the payment as the second and third PINs because the\npayment exceeded the $50,000 threshold. In this case, the system allowed this\nemployee to serve as the first and third PINs.\n\nAt our request, SSA reviewed the eight cases and confirmed that they were appropriate\npayments sent to the right individuals. SSA also confirmed that, although SPS released\nthese eight payments with only two unique PINs, the system should have required three\nunique PINs before releasing the payments. We met with SSA systems staff in\nHeadquarters and worked with them to identify the error in the programming logic that\nallowed the release of these payments. Although the error in programming logic that\nallowed a payment to be released with the same second and third PINs was previously\ncorrected, a change in programming logic to prevent the first and third PINs from\nmatching, as in the example above, is still required. SSA staff told us they are\ncorrecting the programming language to prevent SPS from accepting duplicate PINs in\nthe future.\n\x0cPage 4 - The Commissioner\n\n\nCENTERS FOR SECURITY AND INTEGRITY REVIEWS\n\nEmployees in SSA\xe2\x80\x99s program service centers (PSC) process SPS payments. SSA has\neight PSCs, six of which are located in the regions, and two are located at the Agency\nHeadquarters in Baltimore, Maryland. SSA\xe2\x80\x99s regional Centers for Security and Integrity\n(CSI) use the PSC Onsite Security Control and Audit Review (OSCAR) guide to review\nthe effectiveness of management controls in the PSCs. Per OSCAR guidance, regional\nCSIs are required to review 100 percent of SPS payments of $50,000 or more for\naccuracy and managerial oversight. 4 The PSC OSCAR guide requires that staff ensure\nSPS payments were timely, completed for authorized situations, and supported by\nappropriate documentation. The PSC OSCAR guide does not specifically require that\nCSI staff review whether the payment was authorized by the appropriate level of staff or\nthe required number of PINs.\n\nCSI does not review SPS payments originating from the two PSCs at Agency\nHeadquarters. SPS payments originating from these two PSCs are reviewed before\nrelease by Payment Determination Analysts (PDA) in the Office of Central Operations.5\nPDAs analyze and review SPS payments to detect actual or potential fraud or abuse\nand approve the payments. They follow the review procedures in the OSCAR guide\nbefore releasing payments.\n\nOf the eight payments of $50,000 or more released by two unique PINs, a PDA\nreviewed and released seven, and a manager in a PSC released one that was later\nreviewed by CSI. While PDAs or CSI staff reviewed all eight payments according to\nOSCAR guidance, they did not detect that the payments were released without the\nprerequisite three unique PINs. In fact, the PDAs who released seven of the eight\npayments, released the payments as the third PIN even though they had also signed\nthe payments as the first PINs.\n\n\n\n\n4\n    Office of Central Operations, OSCAR, Chapter 9, Management Controls, July 2008.\n5\n PDAs were previously part of CSI but were moved to the Office of Disability Operations in October 2008.\nPDAs review payments for accuracy under the same procedures as CSI before approving the payment.\n\x0cPage 5 - The Commissioner\n\n\nCONCLUSION AND RECOMMENDATIONS\nWhile all the SPS payments we reviewed were for the right amount and paid to the right\nperson, SSA released a few SPS payments that were inconsistent with the\nauthorizations required under its policies and procedures. All payments requiring two\nPINs for approval had two unique PINs. However, SSA processed eight payments that\nrequired three unique employee PINs with only two unique PINs. Also, while SSA\nreported that the payments were reviewed according to OSCAR guidance, SSA staff\nconducting the reviews did not detect that the payments were not properly authorized\nprior to release.\n\nAccordingly, we recommend that SSA:\n\n1. Amend SPS controls to ensure three unique PINs are present before releasing\n   payments for the situations similar to those we identified during our audit.\n\n2. Revise PSC OSCAR instructions to require testing of the SPS system controls put in\n   place in response to our first recommendation to ensure they are operating as\n   intended.\n\nAGENCY COMMENTS AND OIG RESPONSE\nThe Agency agreed with our recommendations (see Appendix C).\n\n\n\n\n                                              Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Agency Comments\nAPPENDIX D \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                    Appendix A\n\nAcronyms\nATS      Audit Trail System\nCSI      Center for Security and Integrity\nOIG      Office of the Inspector General\nOSCAR    Onsite Security Control and Audit Review\nPDA      Payment Determination Analyst\nPIN      Personal Identification Number\nPOMS     Program Operations Manual System\nPSC      Program Service Center\nSPS      Single Payment System\nSSA      Social Security Administration\nU.S.C.   United States Code\n\x0c                                                                          Appendix B\n\nScope and Methodology\nOur objective was to determine the effectiveness of controls over the release of Single\nPayment System (SPS) payments. To accomplish our objective, we:\n\n\xe2\x80\xa2     Reviewed applicable sections of the Social Security Act and other relevant\n      legislation as well as the Social Security Administration\xe2\x80\x99s (SSA) regulations, rules,\n      policies, and procedures.\n\n\xe2\x80\xa2     Obtained two data extracts from the Audit Trail System (ATS) of SPS payments from\n      May 1, 2002 through February 28, 2010.\n\n          \xef\x82\xa7   For the first extract, we identified 867 SPS payments from a population of\n              2,578,983 SPS payments made in which it appeared the first personal\n              identification number (PIN) matched either the second or third PIN. SSA\n              policy dictates two unique PINs are required for payments of $6,000 to\n              $49,999, and three unique PINs are required for payments of $50,000 or\n              more. Upon further review, we concluded that 450 of the 867 payments only\n              required 1 PIN for approval, and 409 payments had the required 2 unique\n              PINs. The manner in which the data were recorded in ATS gave the\n              appearance that these payments had two matching PINs even though only\n              one PIN was required or two unique PINs were present when required. We\n              identified eight SPS payments that required three unique PINs but only\n              contained two.\n\n          \xef\x82\xa7   The second extract consisted of 10,470 SPS payments from 1 segment of the\n              population 1 of SPS payments that required 2 or 3 PINs. We split the extract\n              into 2 populations: (1) 7,405 payments requiring 2 PINs and\n              (2) 3,065 payments requiring 3 PINs.\n\n\xe2\x80\xa2     Reviewed a random sample of 50 payments from each of the 2 populations to\n      determine whether authorized SSA employees approved the payments.\n\n\xe2\x80\xa2     Analyzed each of the two populations to determine whether any indicators of fraud\n      were present. To identify potential fraud, we reviewed the total amount each\n      individual was paid, reviewed direct deposit account data as well as the address to\n      which the payments were sent.\n\n\n\n\n1\n    One segment represents 5 percent of the population.\n\n\n                                                   B-1\n\x0c\xe2\x80\xa2   Reviewed an additional 43 payments in the 2-PIN approval process to 17 individuals\n    to determine the accuracy of the payments. The payments reflected some of the\n    highest paid individuals.\n\n\xe2\x80\xa2   Reviewed an additional 121 SPS payments in the 3-PIN approval process to\n    54 individuals to determine the accuracy of the payments. Each of these\n    54 individuals received an SPS payment totaling over $130,000.\n\n\xe2\x80\xa2   Reviewed the final PIN approvers to determine whether SSA employees processed\n    an above average quantity of payments.\n\n\xe2\x80\xa2   Referred cases with matching PINs to SSA.\n\n\xe2\x80\xa2   Referred cases in which the approver appeared not to have the appropriate SPS\n    approval authority to SSA.\n\n\xe2\x80\xa2   Concluded SSA\xe2\x80\x99s Center for Security and Integrity data conducted 100-percent\n    reviews of SPS payments of $50,000 or more, as required by SSA\xe2\x80\x99s policy.\n\n\xe2\x80\xa2   Conducted SPS system validation tests with SSA Office of Systems\xe2\x80\x99 employees to\n    determine whether fewer PINs than required could process payments through SPS.\n\nWe performed our audit in the New York Audit Division between September 2009 and\nJune 2010. We tested the data obtained for our audit and determined them to be\nsufficiently reliable to meet our objectives. The entities audited were the Division of\nSystems Security and Program Integrity, a component of the Office of Public Service\nand Operations Support, which is under the Deputy Commissioner for Operations, and\nthe Office of Retirement and Survivors Insurance Systems under the Deputy\nCommissioner for Systems. We conducted our audit in accordance with generally\naccepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions based on our audit objective. We believe the\nevidence obtained provides a reasonable basis for our findings and conclusions based\non our audit objective.\n\n\n\n\n                                          B-2\n\x0c                  Appendix C\n\nAgency Comments\n\x0c                                         SOCIAL SECURITY\n\n\nMEMORANDUM\n\n\nDate:      September 23, 2010                                                    Refer To:   S1J-3\n\nTo:        Patrick P. O\'Carroll, Jr.\n           Inspector General\n\nFrom:      James A. Winn /s/\n           Executive Counselor to the Commissioner\n\nSubject:   Office of the Inspector General (OIG) Draft Report, "Controls Over Single Payment System\n           Payments" (A-02-09-29123)--INFORMATION\n\n           Thank you for the opportunity to review the subject report. Please see our attached comments.\n\n           Please let me know if we can be of further assistance. Please direct staff inquiries to\n           Rebecca Tothero, Acting Director, Audit Management and Liaison Staff, at extension 6-6975.\n\n           Attachment:\n           SSA Response\n\n\n\n\n                                                         C-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, \xe2\x80\x9cCONTROLS OVER SINGLE PAYMENT SYSTEM (SPS) PAYMENTS\xe2\x80\x9d\n(A-02-09-29123)\n\nThank you for the opportunity to review the subject report. You analyzed more than 2.5 million\nSPS payments we made over nearly eight years and found only eight instances with minor issues.\nYou also drew a sample of 264 payments and did not identify any improper payments in your\nsample. Your findings confirm that we have strong internal controls over SPS activity and that\nwe process SPS payments correctly.\n\nYou state in your conclusion that, \xe2\x80\x9cSSA released a few SPS payments that were inconsistent with\nthe authorizations required under its policies and procedures.\xe2\x80\x9d In response, we have already\ntaken action to correct those inconsistencies.\n\nRecommendation 1\n\nAmend SPS controls to ensure three unique PINs are present before releasing payments for the\nsituations similar to those we identified during our audit.\n\nComment\n\nWe agree. On August 21, 2010, we modified the SPS software. In order to generate payment,\nSPS now requires three unique personal identification numbers for SPS payments greater than\n$49,999.99.\n\nRecommendation 2\n\nRevise PSC OSCAR instructions to require testing of the SPS system controls put in place in\nresponse to our first recommendation to ensure they are operating as intended.\n\nComment\n\nWe agree in principle with your recommendation. However, instead of testing the SPS system\ncontrols we will semiannually review a representative sample of SPS payments of $50,000 or\nmore to make sure the system\xe2\x80\x99s change is operating as intended.\n\n\n\n\n                                              C-2\n\x0c                                                                     Appendix D\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Tim Nee, Director, New York Audit Division\n\n   Christine Hauss, Audit Manager\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Raquel Tavera, Program Analyst\n\n   Rajula Chandran, Senior IT Specialist\n\nFor additional copies of this report, please visit our Website at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-02-09-29123.\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c'